Google, Meta, Spotify accused of flouting Apple’s device fingerprinting rules (2024)

Security researchers allege that several apps are collecting data from iOS devices, violating Apple’s policy on device fingerprinting.

Credit: Transmit Security

Apple’s crusade for user privacy on its iOS platform stares at a potential setback as a new report accused tech bigwigs including Google, Meta, and Spotify of flouting the company’s guidelines on device fingerprinting.

Device fingerprinting is a technique that involves collecting various details from the user’s device, like system boot time or available disk space, to create a unique identifier. This identifier can be used to track users across platforms for personalized advertising – a practice the iPhone maker has increasingly restricted.

To curb this practice and to strengthen user privacy, Apple recently implemented stricter guidelines for app developers regarding the use of required reason APIs (application programming interface) and SDKs (software development kits).

However, security researchers Tommy Mysk and Talal Haj Bakry, claimed that tech giants including Google, Meta, and Spotify are circumventing these rules. Their investigation, published in the Mysk blog, suggests that these apps collect device data through the said APIs but send it outside or “off-device,” potentially violating Apple’s policies.

“We found out that apps such as Google Chrome, Instagram, Spotify, and Threads don’t adhere to their declared reasons,” Mysk wrote in the blog.

Describing the use of the “required reason API” is a great attempt to prevent fingerprinting, Mysk said in the blog. “The process also educates developers about such APIs and why access to them should be minimized and signals retrieved from the APIs should remain on-device and never be sent off-device.” But this is in theory, the researchers added.

Google, however, refuted the allegations.

“We’ve reviewed the research and determined that Chrome’s behavior does not violate Apple’s policy, and the data is not being used for fingerprinting,” a Google spokesperson said. “Instead, this data is being used to ensure proper device functionality.”

According to Google, the data being sent off-device is not being derived from the “required reasons APIs.” The data here is being used to ensure a device functions properly when its clock is updated for various reasons (such as taking a flight that impacts your timezone).

Questions to Meta and Spotify have remained unanswered. Apple too did not respond to the queries on the matter.

In an X thread, the researchers at Mysk said more apps were found to be senging the collected data off-device,including YouTube, Reddit, eBay, and Discord.

“The new rule came into effect on May 1, 2024. So we’re testing popular apps that get updated after that deadline,” Mysk said.

What is the issue?

Apple’s guidelines aimed at ensuring apps and third-party SDKs use APIs for their intended purposes only, without infringing on user privacy or engaging in fingerprinting activities, Apple said in a blog post. The guidelines also asked app developers to ensure that the data collected through these “required reason APIs” should not be sent off-device.

“Regardless of whether a user gives your app permission to track, fingerprinting is not allowed,” Apple said in the blog post. “Describe the reasons your app or third-party SDK on iOS, iPadOS, tvOS, visionOS, or watchOS uses these APIs, and check that your app or third-party SDK only uses the APIs for the expected reasons.”

The new policy requires app developers to explicitly disclose why they utilize these “required reason” APIs within their app’s privacy manifest. These measures, Apple said, aimed at ensuring app developers are using the APIs for the intended purpose and not for covert “tracking”.

The new policy guidelines also warned developers that Apple would reject their submissions if their apps did not adhere to the guidelines.

“Starting May 1, 2024, apps that don’t describe their use of required reason API in their privacy manifest file aren’t accepted by App Store Connect,” Apple said in the blog. “If you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file, Apple sends you an email reminding you to add the reason to the app’s privacy manifest.”

“Apple looks to be consistent with its value proposition to protect its users’ data. This also offers more transparency and control to Apple over developers intentions and weed out bad actors who look to profit from device fingerprint and tracking users,” said Neil Shah, VP for research and partner at Counterpoint Research.

Potential for improved user privacy

“Device fingerprinting is becoming just like a personal identifier in many ways. By just having a deeper inspection of device settings, etc., one can know a lot about the user and would be very close to privacy infringement,” Techarc’s co-founder and chief analyst Faisal Kawoosa said. “So yes, I think such a move is a good step to further strengthen security by tightening the conditions and putting an additional layer of check to identify the genuineness of need for using any such usage.”

The policy shift reflects growing anxieties around the use of privacy and data collection practices within the app developers’ ecosystem. It has been trying to position itself as an advocate of user privacy, with features like App Tracking Transparency empowering and informing users about data sharing.

“Privacy has been a key cornerstone for Apple, and its recent app-centric moves focus on empowering users with transparency around data collection within apps,” said Prabhu Ram, head of the industry intelligence group at CyberMedia Research (CMR). “We need to view this in the broader context of consumer concerns, and related regulatory developments in EU and elsewhere around privacy.”

Enforcement holds the key

Beyond the alleged rule-breaking, the researchers at Mysk criticized Apple’s enforcement mechanism.

While forcing developers to describe their use of required reason API is a great starting point to stop fingerprinting, it gives a false sense of privacy, Mysk wrote in the advisory. “Apple doesn’t provide a mechanism to enforce what developers declare.”

“We have seen this approach when Apple introduced Privacy Nutrition Labels. There is no mechanism to verify what developers show on their apps’ Privacy Nutrition Labels,” Mysk added in the advisory.

“Apple has been talking about fingerprinting protection for many years now. And they have till now refrained from taking any active steps against it,” said Dhiraj Gupta, co-founder and CTO of mFilterIt, a fraud detection and prevention firm. “Fingerprinting is a widespread activity, and a lot of apps use it for targeting (users)”

How Apple chooses to take action and the strictness of the same (new policy guidelines) will decide how this will impact the app ecosystem,” Gupta said.

Impact on developers

The new policy throws a wrench into the development cycle for the app developers.

For small, independent app developers, the adjustment to the new norms could be painful, Prabhu said. “However, the long-term benefits of a more secure app environment outweigh the initial challenges.”

“The focus on user trust could reshape the app ecosystem, fostering responsible data practices and promoting privacy-conscious SDKs,” he added.

There has to be a valid reason why any developer is using any fingerprinting data and what is the use case they are trying to address,” Kawoosa said justifying Apple’s move. “At the same time, it’s also important that the fingerprinting data available to an app developer is not sold/used for any 3rd party monetization.”

Apple’s policy shift is likely to have ripple effects throughout the app ecosystem. While some creators may choose to abandon the functionalities that depend on these APIs, others will likely innovate within the new framework, giving rise to a more privacy-focused app ecosystem where users have greater control over their data.